CRITICAL🇵🇱 Wersja polska

CVE-2025-24865

CVSS 10.0v4.0pub. 2025-02-13upd. 2025-03-04

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.

🤖 AI Analysis
How it works

The vulnerability results from the lack of an authentication mechanism (CWE-306 — Missing Authentication for Critical Function) in the administrative web interface of the application. An attacker remotely, without any credentials, can gain direct access to the administrative functions of the system. No user interaction or special network conditions are required — network access to the interface is sufficient.

Impact

An attacker can read sensitive system information and upload arbitrary files to the server without knowing the password, which may lead to complete takeover of the SCADA system and pose a threat to industrial infrastructure.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Update available at the manufacturer's address: https://www.myscada.org/downloads/mySCADAPROManager/. Until the patch is implemented, it is recommended to restrict network access to the administrative interface only to trusted IP addresses and isolate the system from public networks using a firewall.

Who is affected

mySCADA myPRO Manager product — versions specified in the manufacturer's references and in the CISA ICS-CERT advisory (ICSA-25-044-16)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Myscada Mypro

    APP
    Myscada
    < 1.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-22896CRITICAL9.2PL ✓ten sam produkt

mySCADA myPRO Manager — przechowywanie poświadczeń w postaci jawnej (cleartext)

CVE-2025-25067CRITICAL9.3PL ✓ten sam produkt

Command Injection w mySCADA myPRO Manager — zdalne wykonanie poleceń OS

CVE-2024-4708CRITICAL9.3PL ✓ten sam produkt

mySCADA myPRO — hardcoded password umożliwiający zdalne wykonanie kodu

CVE-2022-2234CRITICAL9.9ten sam produkt

An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the op...

CVE-2021-43981CRITICAL10.0ten sam produkt

mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, which may allow an attacker to inject a...